=========================================================== == Subject: Incorrect permission checks when granting/removing == privileges can compromise file server security. == == CVE ID#: CVE-2012-2111 == == Versions: Samba 3.4.x - 3.6.4 (inclusive) == == Summary: Samba 3.4.x to 3.6.4 are affected by a == vulnerability that allows arbitrary users == to modify privileges on a file server. == =========================================================== =========== Description =========== Samba versions 3.4.x to 3.6.4 inclusive are affected by a vulnerability that allows arbitrary users to modify privileges on a file server. Security checks were incorrectly applied to the Local Security Authority (LSA) remote proceedure calls (RPC) CreateAccount, OpenAccount, AddAccountRights and RemoveAccountRights allowing any authenticated user to modify the privileges database. This is a serious error, as it means that authenticated users can connect to the LSA and grant themselves the "take ownership" privilege. This privilege is used by the smbd file server to grant the ability to change ownership of a file or directory which means users could take ownership of files or directories they do not own. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 3.6.5, Samba 3.5.15 and 3.4.17 have been issued as security releases to correct the defect. Patches against older Samba versions are available at: http://samba.org/samba/patches/ Samba administrators running affected versions are advised to upgrade to 3.6.5, 3.5.15, or 3.4.17 or apply these patches as soon as possible. ========== Workaround ========== Immediately set the "enable privileges = no" parameter in the [global] section of the smb.conf. This will prevent any further use of granted privileges on the file server and protect from compromise. To remove any incorrectly granted privileges, remove the file: account_policy.tdb from your system, and once the patch is applied re-grant specified user privileges using the "net rpc rights" command. ======= Credits ======= This vulnerability was reported by Ivano Cristofolini. Many thanks to him for reporting this promptly. Patches were created by Jeremy Allison of the Samba Team, and reviewed by Guenther Deschner of the Samba Team, the SUSE Security Team, and Tyler Hicks of Canonical.